This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0, part of Oracle Fusion Middleware. It allows an unauthenticated attacker with network access via HTTP to compromise the connector, resulting in unauthorized access to critical or all accessible data. The CVSS 3.1 vector indicates network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact without integrity or availability impact. The vulnerability is categorized under CWE-306 (Missing Authentication for Critical Function). Oracle's April 2026 Critical Patch Update advisory references this vulnerability and strongly recommends applying the patches included in that update.

Successful exploitation can lead to unauthorized access to critical data or complete access to all data accessible by Oracle Identity Manager Connector. The confidentiality of sensitive information is at risk, but there is no impact on integrity or availability. The attack requires network access via HTTP and is difficult to exploit due to high attack complexity. No known active exploits have been reported.

Oracle has addressed this vulnerability in its April 2026 Critical Patch Update. Customers are strongly advised to apply the April 2026 Critical Patch Update for Fusion Middleware products, which includes patches for this vulnerability. No alternative mitigations or temporary fixes are specified. Patch status is confirmed by the vendor advisory. Organizations should ensure they are running supported versions and apply the official patches without delay.